As cars come to increasingly resemble moving computers, with millions of lines of code governing their systems, fears about the possibility of automotive terrorism have expanded among some in the industry and its regulating bodies. At the same time, others have dismissed the likelihood of such attacks, labeling them as “fear-mongering.” With software playing an increasingly important role in cars, the onus may be on manufacturers that they are taking steps such as using secure development lifecycles to protect consumers.
A recent AOL Autos article explored the possibility of automotive cyberterrorism, noting that the National Highway Traffic Safety Administration opened a department focused on the issue last year. Questions about the software security of cars were also at the center of a recent Senate Commerce Committee hearing, in which senators questioned the possibility of, for instance, a foreign hacker remotely shutting down a car’s software-intensive systems.
Researchers have explored the possibility, with a team from the University of Washington and the University of California-San Diego proving that they could unlock doors, turn an engine on or off and compromise other critical systems in a 2010 experiment. In a later study, the team showed they could take full control of a car’s telematics system by uploading malware from a CD and calling the car’s cell phone. And research on the subject is continuing, with a presentation on the security of automotive electronic control units and controller area network buses at the upcoming Def Con security conference garnering some media attention.
“I know the industry is attentive to this, but just like computers these days – and your car is a computer – you have some documented cases where companies that have very good attention to security can be compromised,” John D. Lee, a professor of mechanical engineering at the University of Wisconsin, told AOL Autos.
Keeping the road safe
To many, though, the difficulty of such attacks means that they continue to be an extremely minor threat. A Jalopnik post responding to the AOL Autos article dismissed the idea as “fear-mongering,” noting that the physical components of cars are still manually controlled and that most automotive software is specifically installed to provide safety checks for physical mistakes.
Additionally, the studies showing that cars could be compromised were performed under laboratory conditions – the University of Washington study explicitly failed on cars traveling faster than 5 miles per hour – and mostly required physical access. A foreign attacker, in other words, would have a hard time gaining access to a car. In the same Senate hearing that concerns were raised, NHTSA administrator David Strickland said that he was satisfied with the extent of his agency’s current terrorism response, noting that “What we do know, at this point right now, is there has never been an unauthorized accessing of a vehicle currently on the road today.”
Nonetheless, as fears around the issue continue to circulate, automakers will likely be under increased scrutiny to assure consumers and lawmakers of the security of their embedded software. By following MISRA standards and using secure development practices, they can better prove the integrity of onboard systems and dismiss such concerns.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.